The AUTH Command

The AUTH command is an ESMTP command (SMTP service extension) that
is used to authenticate the client to the server. The AUTH command sends
the clients username and password to the e-mail server. AUTH can be combined
with some other keywords as PLAIN, LOGIN, CRAM-MD5
and DIGEST-MD5 (e.g. AUTH LOGIN) to choose an authentication mechanism.
The authentication mechanism chooses how to login and which level of security
that should be used. Below are the AUTH PLAIN, AUTH
LOGIN and AUTH CRAM-MD5 commands/mechanisms described.

In the SMTP communication examples
listed below the letters C and S are used to refer
to the client and the server (C = Client, S = Server).

AUTH PLAINOne common method to login to an
SMTP server is to use the PLAIN mechanism. The example below shows
how AUTH PLAIN can be used to login:

After the client has sent
the AUTH PLAIN command to the server, the server responds with a 334 reply
code. Then the username and password are sent from the client to the server.
The username and password are combined to one string and BASE64 encoded
("dGVzdAB0ZXN0ADEyMzQ=" in the example above). Although the keyword PLAIN
is used, the username and password are not sent as plain text over the Internet
- they are always BASE64 encoded. If you want to read more about BASE64
encoding, you can open
this Internet
page.It is also possible to send the username
and password, together with the AUTH PLAIN command, as a single line. Then
the whole login process can be handled this easy:

After that the AUTH LOGIN
command has been sent to the server, the server asks for username and password
by sending BASE64 encoded text (questions) to the client. “VXNlcm5hbWU6”
is the BASE64 encoded text for the word "Username" and “UGFzc3dvcmQ6” is
the BASE64 encoded text for the word "Password" in the example above. The
client sends username and password also using BASE64 encoding. "adlxdkej",
in the example above, is a BASE64 encoded username and "lkujsefxlj" is a
BASE64 encoded password.

AUTH CRAM-MD5One drawback using the PLAIN and
LOGIN authentication mechanisms is that the username and password can be
decoded quite easy if somebody monitor the SMTP communication. To obtain
higher security an authentication mechanism with the name CRAM-MD5
can be used instead. CRAM-MD5 combines a challenge-response authentication
mechanism to exchange information and a cryptographic Message Digest 5 algorithm
to encrypt important information.The example below shows how AUTH CRAM-MD5
can be used to login to an SMTP server:

After that the AUTH CRAM-MD5 command
has been sent to the server, the servers sends back an one-time BASE64 encoded
"challenge" to the client (see [1]above). The client responds by sending a BASE64 encoded string to
the server that contains a username and a 16-byte digest in hexadecimal
notation (see [2]above).The digest in the reply string is the
output of an HMAC
(Hash-based Message Authentication Code) calculation with the password as
the secret key and the SMTP server's original challenge as the message.
The SMTP server also calculates its own digest with its notion of the user's
password, and if the client's digest and the server's digest match then
authentication was successful and a 235 reply code is sent to the client.The CRAM-MD5 authentication mechanism
is more secure than the other two mechanisms described earlier because the
password can not be retrieved by decoding the BASE64 encoded client response.
The password is used as the key to calculate the HMAC but the password is
not stored anywhere in the response. The client response is also invalid
for further authentications because of the "challenge" sent from the server
was an one-time "challenge" (often with a current time stamp included) and
can not be re-used by somebody who monitors the SMTP communication.